S3E2: Hacking Tracking Pix & Macro Stomping Tricks

On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique - tracking pixels - and how it can inform more restrictive & evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show by deep-diving with Matt Bromiley (@_bromiley) on critical vulnerability we've been responding to most in 2020 - and what we've seen several attackers do post-compromise.

Just as a targeted intruder might, we start our operation with email tracking pixels. We break down how these legitimate marketing tools are leveraged by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.We break down the different variations on these trackers for both benign and malicious uses. For examples of each style of tracking pixel, see Glyer's recent tweet thread (https://twitter.com/cglyer/status/1222255759687372801). We talk through additional red team operators' responses to how they use this technique in their campaigns today - discussion sparked from this great offensive security discussion (https://twitter.com/malcomvetter/status/1222539003565694985). This trend of professional target profiling - drawing both inspiration and specific tracking tools from the marketing industry - is highly effective and a trend we expect to continue.

Next on the episode, we explain how document profiling accomplishes the same end goal as email pixels - and how it can share information about the current version of Microsoft Office on the potential victim's system. Similar to execution guardrails, this Office version information for Microsoft Word or Excel could be used to deliver malware that is highly evasive and only runs on that profile.

We also pivot into some potential use cases for fingerprinting Office versions. We discuss VBA macro stomping and file format intricacies that require attackers to understand the version of office a target may be using, in order to create evasive spear phishing lures that may bypass both static and dynamic detections. Rick Cole joins us to talk through an active attacker using macro stomping for evasion - both p-code compiling and PROJECT stream manipulation. Rick walks through a brief overview of the technique and a particular financial threat actor who loves macro stomping as much as they love Onyx. Rick co-authored a blog on the topic (https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet thread linking to other research (https://twitter.com/a_tweeter_user/status/1225062617632428033).

Finally, we're joined by a surprise second guest! Matt Bromiley drops in to discuss FireEye's efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, that went public on January 10, 2020. Matt helps us break down some of the activity we've seen since then, including distinct uncategorized clusters of activity for NOTROBIN, coin-mining, and attempted ETERNALBLUE-laced ransomware.

In addition to securing his customers in Managed Defense, Matt's been working with the team to release several blogs, defender tips, and tools on the vulnerability:• Matt and Nick published an initial blog on the topic – detailing exploit timelines, evasive attackers, and resilient approaches to detection (https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN and the concept of exploit squatter's rights in the blog with the title adored by Reddit's netsec sub (https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html)•

S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY

In response to increased U.S.-Iran tensions stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and concerns of potential retaliatory cyber attacks, we're bringing the latest from our front-line experts on all things Iran. Christopher Glyer and Nick Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson (@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups - including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the freshest actionable information on suspected Iranian uncategorized (UNC) groups that are active right now.

We get right into it with a picture of Iranian compromise activity from just a few years ago - what we observed and the basic, cookie-cutter approach to their intrusions - and then begin to walk through the stark contrast to their TTPs today. We discuss how and why their Computer Network Operations (CNO) has evolved quickly and provide a detailed walk through all of the graduated Iranian APT groups.

Our experts share their experiences with each group, moments in time that surprised or impressed us from Iranian threat actors, and notable shifts in behavior - as well as our standing questions. Iranian intrusion operators have come a long way from DDoS & defacement, basic scanning, Cain & Abel and ASPXspy... to DNS hijacking, social engineering via LinkedIn, information operations, and backdoors like QUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with the quick adoption of offensive security post-compromise tools and techniques.

S2E13: Rudolph the Redsourced Reindeer

Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog: https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-to-analyze-data-with-microsoft-excel.html. As a special bonus, Santa dropped off a slide clicker for the show so Nick and Christopher decide to go deep on their recent presentation at #CYBERWARCON on “red sourcing.” An episode sure to make them friends on infosec twitter for sure! The presentation was a 10 minute #threatintel lightning talk, but embracing the Christmas spirit, the gang tries to navigate a sensitive area of current debate by spending more time on red sourcing & providing some evidence and observations on APT groups moving to publicly released post-compromise tooling; some potential motivations; and then question whether any tool can ever be fully controlled (e.g. Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access & tools). Because RULER.HOMEPAGE was touched on in the talk, they expand a bit further on this and highlight the recent blog that Nick co-authored on how attackers (like UNC1194) can conduct intrusions from just a single registry key. They also question whether the technique’s usage via Outlook installed Office 365’s Click-to-Run is technically CVE-2017-11774 or not. I guess we need another episode with MSRC! They end the year with some spicy predictions for 2020. You’ll see. Thanks for watching and listening this year!

This episode was sponsored by bad decisions and office holiday parties - and especially both.

S2E12: Shellcode. DLLy DLLy!

Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.

In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C# and shellcode due to improved visibility, detection, and prevention provided by more logging, AMSI, and endpoint security tooling. In this episode, they explore how FireEye's Mandiant Red Team has responded to this pressure and the techniques they've used to continue to operate.

Casey and Evan share their research around the benefits & drawbacks of the three primary techniques for running shellcode and a project they just released - DueDLLigence - to enable conversion of any shellcode into flexible DLLs for sideloading or LOLbin'ing: https://github.com/fireeye/DueDLLigence

If you want to learn more, check out their blog and #DailyToolDrop at: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

S2E10: from MATH import CYBERZ*

Christopher Glyer and Nick Carr interview Matt Berninger (@secbern) about his journey from Incident Responder to Data Scientist and how that has shaped his perspective on ML applications and issues in the industry today.

This discussion provides a brief overview of Data Science fundamentals and how they apply to common cybersecurity problems. They also discuss how to navigate the deluge of ML marketing and what considerations to make before including ML in your security stack. Finally, they dive into some recent Data Science projects and explain how the FireEye Data Science team works with practitioners around the company to solve complex problems.

Customer Reviews

Good info. Worth a listen.

Great chemistry

Great podcast series! Really like how down to earth you guys are and the topics you tackle each month.

JoshStepp
, 06/26/2018

Good show... when you can hear it

The show and hosts are great and provide great knowledge and resources to the community. However, the recent shows have been plagued with awful sound quality to the point of not being able to hear anyone.